Don’t listen to Cowboys!

Cybersecurity is a vast and complex field, similar to the medical profession. Just as a general practitioner (GP) isn't necessarily an oncologist or a paediatrician, cybersecurity professionals have various specialisations. There are ISO 27001 auditors, penetration testers, incident responders, and many other specialists. It's crucial to understand that no one can be an expert in all these areas, and it's unwise to rely on individuals who claim to know everything. Such overconfident individuals often have superficial knowledge and can quickly misjudge and undermine genuine efforts.

I have observed that many people do not fully appreciate the value that properly implemented Cyber Essentials (CE) brings to an organisation. This observation has motivated us to become more proactive in raising awareness about this essential topic. It is crucial for organisations to seek advice from qualified CE assessors and Certification Bodies. Unfortunately, there are many unqualified individuals who provide incorrect guidance and undermine the integrity of this valuable framework. By relying on properly trained professionals, organisations can ensure they are receiving accurate information and support to enhance their cybersecurity posture.

Achieving Cyber Essentials certification can be misleading for some, as it relies on self-assessment. However, Cyber Essentials Plus is a more rigorous process, requiring demonstrable evidence and passing an external audit. Companies often struggle with Cyber Essentials certification due to several factors:

? Lack of management buy-in

? Legacy unsupported systems

? Insufficient security functions and skills

? Dependency on IT teams to implement controls correctly

? Reliance on IT teams to provide accurate information for the assessment.

When it comes to achieving Cyber Essentials certification, here's some key advice:

1. Speak to a Qualified and Experienced Cyber Essentials Assessor

A qualified Cyber Essentials assessor has undergone specific training and understands the intricacies of the framework. They are trained to accurately evaluate assessments and provide correct advice. The more experience they have, the better equipped they are to guide you effectively.

Since the Cyber Essentials scheme has been around for about ten years, an assessor’s experience will generally be within that timeframe. Importantly, Cyber Essentials assessors must be affiliated with a Cyber Essentials Certification Body and cannot operate independently. They undergo regular training and are familiar with the confidential CE marking scheme guidelines, which are exclusive to qualified assessors.

Therefore, always verify advice from non-qualified individuals to ensure its accuracy.

For example: I have been a Cyber Essentials Assessor since 2017, supporting and evaluating quite a lot of assessments over the past seven years. I have witnessed first hand how this framework has evolved and how it has benefited numerous organisations. The key is not to aim for the badge alone, but to implement the controls correctly for genuine cybersecurity improvement.

2. Consult an NCSC Cyber Advisor for Cyber Essentials

The National Cyber Security Centre (NCSC) offers the Cyber Advisor scheme to provide trusted cyber security advice to a broader range of organisations. This initiative aims to help organisations find reliable advice and avoid overpaying or purchasing unnecessary services. An NCSC Cyber Advisor for Cyber Essentials should be associated with a certification body that is also an NCSC Assured Solutions provider. Look for these credentials when seeking advice to ensure you're getting guidance from a legitimate and trusted source. Also note the Cyber Advisor Scheme is new and not all Cyber advisors are Cyber Essentials Assessors.

3. Avoid Unqualified Individuals Claiming Expertise in Cyber Essentials

Be cautious of individuals who claim to have expertise in Cyber Essentials but lack the proper qualifications and affiliations. Engaging with such individuals can result in misguided advice and potentially jeopardise your certification process.

Why Is This Important?

Achieving Cyber Essentials certification is a structured process that requires adherence to specific standards and practices. Engaging with unqualified individuals can lead to errors, incomplete implementations, and ultimately, failure to achieve certification. By consulting with trained and experienced professionals, you ensure that your organisation meets all necessary requirements and enhances its overall cyber security posture.

Remember, when it comes to cybersecurity, it's crucial to rely on specialists with the appropriate credentials and experience rather than risk relying on less qualified individuals who might lead you astray. Make informed choices to effectively safeguard your organisation.

When requesting a quote for Cyber Essentials or Cyber Essentials Plus, ensure you receive a detailed proposal that includes access to a qualified assessor specific to CE or CE Plus, not just a security engineer or a security consultant. For verification of these individuals, you can contact IASME for further information.

Meta Defence Labs Ltd has been a Cyber Essentials Certification Body since 2017 and is also a National Cyber Security Centre Assured Solutions Provider for Cyber Essentials. Over the past seven years, we have successfully completed hundreds of assessments, demonstrating our expertise and commitment to helping organisations achieve robust cybersecurity standards. Additionally, we ensure that you have direct access to experienced assessors, providing you with the reliable guidance and support needed throughout the certification process.

Don’t Talk to Cowboys When It Comes to Achieving Cyber Essentials!